LibreOffice is a free and open source office suite, developed by The Document
Foundation. It is descended from OpenOffice.org, from which it was forked in 2010.
The LibreOffice suite includes a word processor, spreadsheet, graphics editor,
slideshow creator, database and math formula writer.

http://www.libreoffice.org/

Affected are versions 3.5.1 to newest 4.0.1.2, older versions were not tested.

LibreOffice user can click "Download" and "Install" buttons and LibreOffice
will download and install the update.

Such update mechanism contains two security flaws:

1. Update check is done over unencrypted HTTP channel. Malicious third party
is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response.
In this way it is possible to instruct LibreOffice to download malicious update.